b'           OFFICE OF\n    THE INSPECTOR GENERAL\n\nSOCIAL SECURITY ADMINISTRATION\n\n\n   ADMINISTRATIVE COSTS CLAIMED\n    BY THE COLORADO DISABILITY\n     DETERMINATION SERVICES\n\n      April 2008   A-07-07-17136\n\n\n\n\n AUDIT REPORT\n\x0c                                    Mission\nBy conducting independent and objective audits, evaluations and investigations,\nwe inspire public confidence in the integrity and security of SSA\xe2\x80\x99s programs and\noperations and protect them against fraud, waste and abuse. We provide timely,\nuseful and reliable information and advice to Administration officials, Congress\nand the public.\n\n                                   Authority\nThe Inspector General Act created independent audit and investigative units,\ncalled the Office of Inspector General (OIG). The mission of the OIG, as spelled\nout in the Act, is to:\n\n  \xef\x81\xad Conduct and supervise independent and objective audits and\n    investigations relating to agency programs and operations.\n  \xef\x81\xad Promote economy, effectiveness, and efficiency within the agency.\n  \xef\x81\xad Prevent and detect fraud, waste, and abuse in agency programs and\n    operations.\n  \xef\x81\xad Review and make recommendations regarding existing and proposed\n    legislation and regulations relating to agency programs and operations.\n  \xef\x81\xad Keep the agency head and the Congress fully and currently informed of\n    problems in agency programs and operations.\n\n  To ensure objectivity, the IG Act empowers the IG with:\n\n  \xef\x81\xad Independence to determine what reviews to perform.\n  \xef\x81\xad Access to all information necessary for the reviews.\n  \xef\x81\xad Authority to publish findings and recommendations based on the reviews.\n\n                                     Vision\nWe strive for continual improvement in SSA\xe2\x80\x99s programs, operations and\nmanagement by proactively seeking new ways to prevent and deter fraud, waste\nand abuse. We commit to integrity and excellence by supporting an environment\nthat provides a valuable public service while encouraging employee development\nand retention and fostering diversity and innovation.\n\x0c                                          SOCIAL SECURITY\nMEMORANDUM\n\nDate:   April 14, 2008                                                            Refer To:\n\nTo:     Nancy A. Berryhill\n        Regional Commissioner\n         Denver\n\nFrom:   Inspector General\n\nSubject:Administrative\n                     Costs Claimed by the Colorado Disability Determination Services\n        (A-07-07-17136)\n\n\n        OBJECTIVE\n        Our objectives were to evaluate the Colorado Disability Determination Services\n        (CO-DDS) internal controls over the accounting and reporting of administrative costs,\n        determine whether costs claimed by the CO-DDS were allowable and properly allocated\n        and funds were properly drawn, and assess limited areas of the general security\n        controls environment. Our audit included the administrative costs claimed by the CO-\n        DDS during Federal Fiscal Years (FY) 2005 and 2006.\n\n        BACKGROUND\n        The Disability Insurance (DI) program, established under Title II of the Social Security\n        Act (Act), provides benefits to wage earners and their families in the event the wage\n        earner becomes disabled. The Supplemental Security Income (SSI) program,\n        established under Title XVI of the Act, provides benefits to financially needy individuals\n        who are aged, blind, and/or disabled.\n\n        The Social Security Administration (SSA) is responsible for implementing policies\n        for the development of disability claims under the DI and SSI programs. Disability\n        determinations under both DI and SSI are performed by Disability Determination\n        Services (DDS) in each State, and other responsible jurisdictions. Such determinations\n        are required to be performed in accordance with Federal law and underlying\n        regulations. 1 In carrying out its obligation, each DDS is responsible for determining\n        claimants\xe2\x80\x99 disabilities and ensuring that adequate evidence is available to support its\n\n\n\n\n        1\n            42 U.S.C. \xc2\xa7 421; 20 C.F.R. \xc2\xa7\xc2\xa7 404.1601 et seq. and 416.1001 et seq.\n\x0cPage 2 - Nancy A. Berryhill\n\ndeterminations. To assist in making proper disability determinations, each DDS is\nauthorized to purchase medical examinations, x-rays, and laboratory tests on a\nconsultative basis to supplement evidence obtained from the claimants\xe2\x80\x99 physicians or\nother treating sources.\n\nSSA reimburses the DDS for 100 percent of allowable reported expenditures up to its\napproved funding authorization. The DDS withdraws Federal funds through the\nDepartment of the Treasury\xe2\x80\x99s (Treasury) Automated Standard Application for Payments\n(ASAP) system to pay for program expenditures. Funds drawn down must comply with\nFederal regulations 2 and intergovernmental agreements entered into by Treasury and\nStates under the Cash Management Improvement Act of 1990. 3\n\nAn advance or reimbursement for costs under the program must comply with the Office\nof Management and Budget\xe2\x80\x99s Circular A-87, Cost Principles for State, Local, and Indian\nTribal Governments. At the end of each quarter of the FY, each DDS is required to\nsubmit a State Agency Report of Obligations for SSA Disability Programs (SSA-4513) to\naccount for program disbursements and unliquidated obligations. 4 The SSA-4513\nreports expenditures and unliquidated obligations for personnel service costs, medical\ncosts, indirect costs, and all other nonpersonnel costs. 5\n\nThe Office of Self Sufficiency is the CO-DDS\xe2\x80\x99 parent agency. The CO-DDS is located in\nAurora, Colorado.\n\nRESULTS OF REVIEW\nOther than the areas discussed in this report, the CO-DDS had effective controls over\nthe accounting and reporting of administrative costs. Furthermore, the costs it claimed\nduring our audit period were allowable, properly allocated, and funds were properly\ndrawn. However, the majority of the CO-DDS\xe2\x80\x99 indirect costs charged to SSA during our\naudit period were based on a cost allocation plan (CAP) that has not been approved by\nthe Division of Cost Allocation (DCA). 6 Accordingly, the allowability of these indirect\n\n\n\n\n2\n    31 C.F.R. \xc2\xa7 205.1 et seq.\n3\n    Pub. L. No. 101-453, 104 Stat. 1058, in part amending 31 U.S.C. \xc2\xa7\xc2\xa7 3335, 6501, and 6503 (1990).\n4\n SSA, POMS, DI 39506.201 and 202. POMS, DI 39506.200 B.4 provides, in part, that \xe2\x80\x9cUnliquidated\nobligations represent obligations for which payment has not yet been made. Unpaid obligations are\nconsidered unliquidated whether or not the goods or services have been received.\xe2\x80\x9d\n5\n    SSA, POMS, DI 39506.201 and 202.\n6\n DCA is located within the Department of Health and Human Services (HHS). The Office of\nManagement and Budget designated HHS as the cognizant Federal agency for reviewing and negotiating\nCAPs. The CAP is used by the component of State government responsible for the performance or\nadministration of a Federal program to charge indirect costs associated with the Federal program.\n\x0cPage 3 - Nancy A. Berryhill\n\ncosts are subject to change following approval of the CAP and the methodologies\ncontained therein. We also found excessive funding authority existed during FY\xe2\x80\x99s\nbefore our audit period that needed to be rescinded. With regard to the CO-DDS\xe2\x80\x99\ngeneral security controls, they do not have an intrusion detection system (IDS) that\ncovers the interior office space, and the security plan does not meet SSA\xe2\x80\x99s\nrequirements as it lacks continuity of operations and disaster recovery plans. 7\n\nINDIRECT COSTS\n\nDuring our audit period, indirect costs were charged to SSA based on a proposed CAP\nthat has not been approved by DCA. 8 Specifically, $1,736,619 of the $2,698,902 of\nindirect costs charged to SSA during our audit period were based on the State Fiscal\nYear (SFY) 2006 proposed CAP that was submitted to DCA, but, as of the date of this\nreport, had not been approved. Although a State can claim reimbursement of indirect\ncosts based on a proposed CAP, the resulting indirect costs charged to a Federal\nprogram must be retroactively adjusted if the CAP approved by DCA differs from the\nproposed CAP. 9 Accordingly, the final allowability of indirect costs charged to SSA\nduring our audit period are subject to change following approval of the SFY 2006 and\n2007 CAPs and the methodologies contained therein.\n\nHistorically, it takes longer than 2 years from the start of the Colorado Department of\nHuman Services\xe2\x80\x99 (CDHS) SFY to the final approval of that SFY\xe2\x80\x99s CAP, as shown in the\ntable on the following page. This occurs because CDHS does not submit its SFY CAP\nto DCA for approval in a timely manner. For example, CDHS did not submit its SFY\n2006 CAP to DCA for approval until 27 months after the start of the SFY. Furthermore,\na lengthy negotiation process between DCA and CDHS following the submission of the\nCAP contributes additional time to the CAP approval process. For example, it took DCA\n28 months to approve the SFY 2005 CAP once it was submitted by CDHS 8 months\nafter the start of the SFY.\n\n\n\n\n7\n    SSA, POMS, DI 39566.010.B.2.g and SSA, POMS, DI 39566.120.C.\n8\n  SFYs 2005 through 2007 CAPs are applicable to indirect costs charged to SSA during our audit period.\nIndirect costs were charged based on the latest proposed CAP, which was SFY 2006 as allowed by\n45 C.F.R. \xc2\xa7 95.517.\n9\n    45 C.F.R. \xc2\xa7 95.517.\n\x0cPage 4 - Nancy A. Berryhill\n\n             Number of Months Elapsing from the Beginning of the State FY\n                    Until the Submission and Approval of the CAP\n                                 Months Elapsing             Months Elapsing\n        State FY CAP\n                                Submission of CAP            Approval of CAP\n            2007                  Not submitted                Not Approved\n            2006                       27                     Not Approved 10\n            2005                        8                           36\n            2004                       19                           26\n            2003                       16                           28\n            2002                       23                           35\n            2001                       20                           25\n            2000                        9                           26\n\nTo determine the reasonableness of indirect costs charged to SSA, we reviewed\nindirect costs for the period July through September 2006. These costs were claimed\nbased on the allocation methodologies outlined in the proposed SFY 2006 CAP.\nTherefore, we compared the cost claimed during this period to the allocation\nmethodologies proposed in the SFY 2006 CAP. We found that these costs were\ncharged to SSA in accordance with the cost allocation methodologies outlined in the\nproposed SFY 2006 CAP.\n\nIf the methodology used to allocate indirect costs to SSA as outlined in the SFY 2006\nproposed CAP is subsequently approved by DCA in the final SFY 2006 and 2007 CAPs,\nthe indirect costs charged to SSA will remain allowable. However, there is a financial\nrisk to SSA when costs are charged to its programs based on proposed CAPs that have\nnot been approved by DCA. Specifically, it is possible that the negotiation process\nbetween CDHS and DCA could result in the approval of a CAP containing a cost\nallocation methodology that is different than that proposed. If that occurs, the costs\ncharged under a proposed CAP may be over or understated. Accordingly, we\nrecommend SSA work together with CDHS to ensure that indirect costs claimed during\nthe fourth quarter of FY 2005 and all of FY 2006 are in accordance with the applicable\nCAPs once they are approved by DCA and collect any costs determined to be\nunallowable.\n\nEXCESS FUNDING AUTHORITY\n\nOur review of ASAP account balances for our audit period (FYs 2005 and 2006), did not\nidentify any excess funding authority. However, we did find that excess funding\nauthorization existed in the CO-DDS\xe2\x80\x99 FY 2002 through 2004 ASAP accounts in the\namount of $77,659. SSA establishes the CO-DDS\xe2\x80\x99 funding authority for each account\n\n\n\n\n10\n     As of January 28, 2008, the SFY 2006 CAP has not been approved by DCA.\n\x0cPage 5 - Nancy A. Berryhill\n\nwithin the ASAP system. 11 Funds drawn through the ASAP system are restricted solely\nfor program use, and any unused funds are required to be returned to Treasury. 12 SSA\nshould reduce DDS funding authorizations when they are no longer needed to make\ndisability determinations. Rescinding excess funding authorization decreases the risk of\nfunds being spent on expenditures not related to the proper FY. The following chart\nillustrates excess funding authority by FY and ASAP account number.\n\n                                       ASAP                  EXCESS FUNDING\n             FEDERAL FY\n                                 ACCOUNT NUMBER                AUTHORITY\n                  2002              0204CODI02                    $2,974\n                  2003              0304CODI00                   $38,601\n                  2003              0304CODI02                    $5,032\n                  2004              0404CODI02                   $31,052\n                 TOTAL                                           $77,659\n\nThe Denver Regional Office (RO) was aware that the State had drawn all the funds\nneeded for these FYs and that excess funding authorizations existed. However, the RO\nstated that it would not reduce excess funding authorization until the CO-DDS submits\nfinal SSA-4513s for these FYs, which it has not done. We recommend SSA instruct the\nCO-DDS to submit a final SSA-4513 for FYs 2002 through 2004 and, upon receipt,\nrescind the excess funding authorization totaling $77,659.\n\nINTRUSION DETECTION SYSTEM\n\nThe CO-DDS did not have an IDS that covered its interior office space and all points of\nentry. An IDS has not been installed because the CO-DDS believed its facility was\nadequately protected by its key card access system and security guard. SSA\ninstructions state, \xe2\x80\x9cAn IDS is required in all facilities unless determined unnecessary....\xe2\x80\x9d\nFor example, an IDS may not be necessary if the office is located in a building with\n24 hour per day guard service and the guard has the ability to adequately monitor the\nDDS facility. 13 However, the guard service at the CO-DDS did not offer 24 hour per day\nprotection. The security guard was in service only during CO-DDS office hours;\ntherefore, the security guard was not able to continually monitor the DDS\xe2\x80\x99 space.\nWithout an IDS, there is an increased risk that unauthorized individuals could gain\naccess during nonworking hours to sensitive SSA information stored within the CO-DDS\noffice space. We recommend SSA instruct the CO-DDS to install an IDS that covers its\ninterior office space and all points of entry.\n\n\n\n11\n  A DDS may have more than one ASAP account identification number during each FY. For example,\nDDS may have an ASAP account dedicated to information technology costs and another account\ndedicated to all other administrative costs.\n12\n     42 U.S.C. \xc2\xa7 421(f).\n13\n     SSA, POMS, DI 39566.010.B.2.g.\n\x0cPage 6 - Nancy A. Berryhill\n\nSECURITY PLAN\n\nThe CO-DDS security plan did not meet current SSA requirements. Specifically the\nsecurity plan did not contain continuity of operations (COOP) or disaster recovery plans\n(DRP) to follow in the event of a disaster impacting CO-DDS operations. SSA\ninstructions state each DDS must establish and maintain a written DDS Security Plan\nand that the security plan should consist of eight parts including the COOP and DRP. 14\nThe CO-DDS stated that they were unaware of the current security plan requirements\nbut will develop a COOP and DRP. An incomplete security plan increases the risk that\nthe CO-DDS may not perform critical operations after a disaster. We recommend SSA\nwork with the CO-DDS to ensure a security plan meeting SSA requirements is\ncompleted timely.\n\nCONCLUSION AND RECOMMENDATIONS\nOther than the areas discussed in this report, the CO-DDS had effective controls over\nthe accounting and reporting of administrative costs. Furthermore, the costs it claimed\nduring our audit period were allowable, properly allocated, and funds were properly\ndrawn. However, the majority of the CO-DDS\xe2\x80\x99 indirect costs charged to SSA during our\naudit period were based on a CAP that has not been approved by DCA. Accordingly,\nthe allowability of these indirect costs are subject to change following approval of the\nCAP and the methodologies contained therein. We also found excessive funding\nauthority existed during FYs before our audit period that needed to be rescinded.\nLastly, the CO-DDS did not have an IDS that covers the interior office space, and its\nsecurity plan did meet SSA\xe2\x80\x99s requirements.\n\nWe recommend the SSA Regional Commissioner:\n\n      1. Work together with CDHS to ensure that indirect costs claimed during the fourth\n         quarter of FY 2005 and all of FY 2006 and are in accordance with the applicable\n         CAPs once they are approved by DCA and collect any costs determined to be\n         unallowable.\n\n      2. Instruct the CO-DDS to submit a final SSA-4513 for FYs 2002 through 2004 and\n         upon receipt rescind the excess funding authorization totaling $77,659.\n\n      3. Instruct the CO-DDS to install an IDS that covers its interior office space and all\n         points of entry.\n\n      4. Work with the CO-DDS to ensure a security plan meeting SSA requirements is\n         completed timely.\n\n\n\n\n14\n     SSA, POMS, DI 39566.120.B and C.\n\x0cPage 7 - Nancy A. Berryhill\n\nOTHER MATTERS\nPERSONALLY IDENTIFIABLE INFORMATION\n\nDisability claimants of the CO-DDS have personally identifiable information (PII)\nroutinely disclosed to vendors. The CO-DDS processes over 30,000 disability\ndeterminations each FY. During the disability determination process, the CO-DDS\npurchases services that include medical evidence (consultative examinations and\nmedical evidence of record) and claimant travel. Our review of medical and applicant\ntravel invoices revealed that these documents contained PII including name, address,\ndate of birth, Social Security number (SSN), and telephone number. Although we have\nno reason to believe this information has been abused, this practice could potentially\nresult in the accidental disclosure of claimant\xe2\x80\x99s PII.\n\nFederal guidance dictates that agencies should reduce their current holdings of all PII to\nthe minimum necessary for the proper performance of a documented agency function. 15\nAgencies must also review their use of SSNs in agency systems and programs to\nidentify instances in which collection or use of the SSN is superfluous. 16\n\nOn October 5, 2007, SSA\xe2\x80\x99s Office of Disability Determinations informed ROs that DDSs\nshould review their processes to eliminate the use of the SSN on correspondence\nwhere possible. The CO-DDS informed us that it has begun removing the SSNs from\ndocuments where it is not absolutely necessary.\n\nAGENCY COMMENTS\nIn commenting on our draft report, SSA and CDHS generally agreed with our\nrecommendations. See Appendices C and D, respectively, for the full text of SSA\xe2\x80\x99s and\nCDHS\xe2\x80\x99 comments.\n\n\n\n\n                                                      Patrick P. O\xe2\x80\x99Carroll, Jr.\n\n\n\n\n15\n     Office of Management and Budget Memorandum M-07-16, Attachment 1 \xc2\xa7 B.1.a.\n16\n     Office of Management and Budget Memorandum M-07-16, Attachment 1 \xc2\xa7 B.2.a.\n\x0c                                     Appendices\nAPPENDIX A \xe2\x80\x93 Acronyms\nAPPENDIX B \xe2\x80\x93 Scope and Methodology\nAPPENDIX C \xe2\x80\x93 Agency Comments\nAPPENDIX D \xe2\x80\x93 Colorado Department of Human Services\xe2\x80\x99 Comments\nAPPENDIX E \xe2\x80\x93 OIG Contacts and Staff Acknowledgments\n\x0c                                                             Appendix A\n\nAcronyms\nAct           Social Security Act\nASAP          Automated Standard Application for Payments\nCAP           Cost Allocation Plan\nCDHS          Colorado Department of Human Services\nC.F.R.        Code of Federal Regulations\nCO-DDS        Colorado Disability Determination Services\nCOOP          Continuity of Operations Plan\nDCA           Division of Cost Allocation\nDDS           Disability Determination Services\nDI            Disability Insurance\nDRP           Disaster Recovery Plan\nFY            Fiscal Year\nHHS           Department of Health and Human Services\nIDS           Intrusion Detection System\nPII           Personally Identifiable Information\nPOMS          Program Operations Manual System\nPub. L. No.   Public Law Number\nRO            Regional Office\nSFY           State Fiscal Year\nSSA           Social Security Administration\nSSA-4513      State Agency Report of Obligations for SSA Disability Programs\nSSI           Supplemental Security Income\nSSN           Social Security Number\nTreasury      Department of the Treasury\nU.S.C.        United States Code\n\x0c                                                                       Appendix B\n\nScope and Methodology\nSCOPE\nTo achieve our objective, we:\n\n \xe2\x80\xa2   Reviewed applicable Federal laws and regulations, pertinent parts of the Social\n     Security Administration\xe2\x80\x99s (SSA) Program Operations Manual System and other\n     criteria relevant to administrative costs claimed by the Colorado Disability\n     Determination Services (CO-DDS), and the draw down of SSA program\n     appropriations.\n\n \xe2\x80\xa2   Interviewed staff at the Colorado Department of Human Services (CDHS) and the\n     CO-DDS.\n\n \xe2\x80\xa2   Reviewed State policies and procedures related to personnel, medical services,\n     and all other nonpersonnel costs.\n\n \xe2\x80\xa2   Evaluated and tested internal controls regarding accounting, financial reporting, and\n     cash management activities.\n\n \xe2\x80\xa2   Reconciled State accounting records to the administrative costs reported by the\n     CO-DDS on the State Agency Report of Obligations for SSA Disability Programs\n     (SSA-4513) for Federal Fiscal Years (FY) 2005 through 2006.\n\n \xe2\x80\xa2   Examined specific administrative expenditures (personnel, medical services, and all\n     other nonpersonnel costs) incurred and claimed by the CO-DDS for FYs 2005 and\n     2006 on the SSA-4513. We used statistical sampling to select expenditures to test\n     for support of the medical service and all other nonpersonnel costs as discussed in\n     the following methodology section of this appendix.\n\n \xe2\x80\xa2   Examined the indirect costs claimed by CO-DDS for FYs 2005 through 2006 and\n     the corresponding cost allocation plan.\n\n \xe2\x80\xa2   Compared the amount of SSA funds drawn for support of program operations to the\n     expenditures reported on the SSA-4513.\n\n \xe2\x80\xa2   Determined whether selected funds from cancelled warrants were properly returned\n     to SSA.\n\n\n\n\n                                           B-1\n\x0c \xe2\x80\xa2   Determined whether unliquidated obligations were properly supported.\n\n \xe2\x80\xa2   Reviewed the CO-DDS\xe2\x80\x99 general security controls.\n\n \xe2\x80\xa2   Reviewed Office of Management and Budget guidance related to safeguarding\n     personally identifiable information.\n\nWe determined that the data provided by CDHS and CO-DDS used in our audit were\nsufficiently reliable to achieve our audit objectives. We assessed the reliability of the\ndata by reconciling it with the costs claimed on the SSA-4513. We also conducted\ndetailed audit testing on selected data elements in the electronic data files.\n\nWe performed work at CDHS, CO-DDS, and the Kansas City, Missouri, Office of Audit.\nWe conducted fieldwork from March through September 2007. The audit was\nconducted in accordance with generally accepted government auditing standards.\n\nMETHODOLOGY\nSAMPLING METHODOLOGY\n\nThe sampling methodology encompassed the four general areas of costs reported on\nthe SSA-4513 (1) personnel, (2) medical, (3) indirect, and (4) all other nonpersonnel\ncosts. We obtained a data extract of all costs and the associated invoices for\nFYs 2005 through 2006 for use in statistical sampling. This was obtained from the\naccounting systems used in the preparation of the SSA-4513.\n\nPersonnel Costs\n\nWe randomly selected 1 pay period, the month of April, in FY 2006 for review. We then\nselected a random sample of 50 regular employees for review and testing of the payroll\nrecords. For medical consultant costs we also selected the month of April, in\nFY 2006, for review. We then selected all 25 medical consultants for review and testing\nof the payroll records.\n\nMedical Costs\n\nWe sampled 100 items (50 items from each of FY 2005 and 2006) using a stratified\nrandom sample of medical costs based on the proportion of medical evidence of record\nand consultative examination costs to the total medical costs claimed.\n\n\n\n\n                                            B-2\n\x0cIndirect Costs\n\nWe selected 1 quarter of FY 2006-the most recent quarter-to review indirect expenses.\nWe selected indirect costs pools that represented 79 percent of the indirect cost claimed\nin the selected quarter. We ensured the selected pools were allocated in accordance\nwith the proposed State FY 2006 cost allocation plan. We determined the allocation\nmethod was reasonable for the type of expense being allocated.\n\nAll Other Nonpersonnel Costs\n\nWe sampled 100 items (50 expenditures from FY 2005 and 50 from FY 2006) using a\nstratified random sample. The random sample was based on the proportion of costs in\neach of the cost categories to the total costs claimed.\n\n\n\n\n                                          B-3\n\x0c                  Appendix C\n\nAgency Comments\n\x0c                                         SOCIAL SECURITY\n\nMEMORANDUM\n\nDate:      March 28, 2008                                                         Refer To:\n\nTo:        Patrick P. O\xe2\x80\x99Carroll, Jr.\n           Inspector General\n\nFrom:      Nancy Berryhill\n           Denver Regional Commissioner\n\nSubject:   Administrative Costs Claimed by the Colorado Disability Determination Services\n           (A-07-07-17136)--REPLY\n\n\n           Thank you for the opportunity to review the draft report of the 2007 audit of the Colorado\n           Disability Determination Services (CO DDS). Essentially, the audit found that the CO DDS had\n           effective controls over the accounting and reporting of administrative costs, and that costs\n           claimed during the audit period were allowable and properly allocated and funds were properly\n           drawn. However, there were four areas where recommendations have been made requiring SSA\n           actions. Our assessment of these findings and recommendations, along with our response, is\n           outlined below.\n\n           Indirect Costs: At the time of the 2007 audit, the State Fiscal Year 2006 Cost Allocation Plan\n           (CAP) had been submitted to HHS Division of Cost Accounting (DCA), but had not been\n           approved. It was noted that the Colorado Department of Human Services (CDHS) has not\n           submitted timely CAPs and the negotiation process between CDHS and DCA can be lengthy.\n           We concur with this finding. In our meetings with DCA it has been noted that state agencies\n           have no incentive to submit plans timely, and the process for deferring payment because the CAP\n           is out of date is too cumbersome to be an effective tool. We appreciate the analysis you provided\n           of the reasonableness of indirect costs charged in 2006. As DCA provides us with copies of the\n           approved CAP (or the modifications to the new CAP), we will be alert to changes that can\n           retroactively impact costs claimed. In addition, we continue to work with CDHS regarding the\n           need for timely submission of the plan.\n\n           Excess Funding Authority: Review of the Automated Standard Application for Payments\n           (ASAP) account balances did not identify any excess funding authority but it did find excess\n           account balances existed in ASAP for FY 2002 through FY 2005, totaling $77,659. We are\n           aware that account balances may exist for extended periods after the close of the fiscal year, as\n           the DDS has five years from the end of the fiscal year during which they may continue to submit\n           expenses. Additionally, the regional office staff has no direct access to ASAP and cannot take\n           action to rescind excess funding authorizations. However, as recommended, we did request CO\n           DDS (and all DDSs in our region) to submit final SSA-4513s for FY 2002 through 2006 and final\n\n\n                                                         C-1\n\x0callowance advices have been issued. Rescission of excess funding authorization has been\ndeferred to central office staff.\n\nIntrusion Detection System (IDS): The CO DDS does not have an IDS that covers interior office\nspace and all points of entry. We have asked the DDS to correct this security issue and will be\nworking with them to obtain funding to cover the costs.\n\nSecurity Plan: The CO DDS Security Plan did not meet current SSA requirements as it was\nmissing a Continuity of Operation Plan (COOP) and Disaster Recovery Plan (DRP). We have\nprovided the DDS with essential contact information and other suggestions on content for these\nplans, and will continue to work with them to achieve timely development of these documents.\n\nAlthough not one of the findings of the audit, the issue of Personally Identifiable Information\n(PII) was raised. As this is an issue of great concern to this Agency, we have monitored all the\nDDSs in this region with regard to their use of PII. The CO DDS has eliminated the use of PII in\nall correspondence, except requests to medical sources or CE providers, where use of some PII\ninformation remains necessary. We continue to work with our DDSs and as an agency to protect\nPII and eliminate use of SSN or other such data where it is not required.\n\nIf you wish to discuss our comments, please contact me. Staff may contact Elaine Rametta,\nActing Deputy Director of the Center for Disability, at 303 844-4375 or via email at\nElaine.rametta@ssa.gov.\n\n\n\n                            /s/\n                      Nancy Berryhill\n\nCc:\nRuby Burrell\nCandace Skurnik\nJeff Hild\nMaurice Norwood\nCandace Skurnik\nElaine Rametta\n\n\n\n\n                                              C-2\n\x0c                                  Appendix D\n\nColorado Department of Human Services\xe2\x80\x99\nComments\n\x0cD-1\n\x0cD-2\n\x0c                                                                       Appendix E\n\nOIG Contacts and Staff Acknowledgments\nOIG Contacts\n\n   Mark Bailey, Director, Kansas City Audit Division, (816) 936-5591\n\n   Ken Bennett, Information Technology Specialist, (816) 936-5593\n\nAcknowledgments\n\nIn addition to those named above:\n\n   Doug Kelly, Auditor-in-Charge\n\nFor additional copies of this report, please visit our web site at\nwww.socialsecurity.gov/oig or contact the Office of the Inspector General\xe2\x80\x99s Public\nAffairs Specialist at (410) 965-3218. Refer to Common Identification Number\nA-07-07-17136.\n\x0c                           DISTRIBUTION SCHEDULE\n\nCommissioner of Social Security\nOffice of Management and Budget, Income Maintenance Branch\nChairman and Ranking Member, Committee on Ways and Means\nChief of Staff, Committee on Ways and Means\nChairman and Ranking Minority Member, Subcommittee on Social Security\nMajority and Minority Staff Director, Subcommittee on Social Security\nChairman and Ranking Minority Member, Committee on the Budget, House of\nRepresentatives\nChairman and Ranking Minority Member, Committee on Oversight and Government\nReform\nChairman and Ranking Minority Member, Committee on Appropriations, House of\nRepresentatives\nChairman and Ranking Minority, Subcommittee on Labor, Health and Human Services,\nEducation and Related Agencies, Committee on Appropriations,\n House of Representatives\nChairman and Ranking Minority Member, Committee on Appropriations, U.S. Senate\nChairman and Ranking Minority Member, Subcommittee on Labor, Health and Human\nServices, Education and Related Agencies, Committee on Appropriations, U.S. Senate\nChairman and Ranking Minority Member, Committee on Finance\nChairman and Ranking Minority Member, Subcommittee on Social Security Pensions\nand Family Policy\nChairman and Ranking Minority Member, Senate Special Committee on Aging\nSocial Security Advisory Board\n\x0c                         Overview of the Office of the Inspector General\nThe Office of the Inspector General (OIG) is comprised of an Office of Audit (OA), Office of Investigations\n(OI), Office of the Chief Counsel to the Inspector General (OCCIG), Office of External Relations (OER), and\nOffice of Technology and Resource Management (OTRM). To ensure compliance with policies and procedures,\ninternal controls, and professional standards, the OIG also has a comprehensive Professional Responsibility and\nQuality Assurance program.\n                                                  Office of Audit\nOA conducts financial and performance audits of the Social Security Administration\xe2\x80\x99s (SSA) programs and\noperations and makes recommendations to ensure program objectives are achieved effectively and efficiently.\nFinancial audits assess whether SSA\xe2\x80\x99s financial statements fairly present SSA\xe2\x80\x99s financial position, results of\noperations, and cash flow. Performance audits review the economy, efficiency, and effectiveness of SSA\xe2\x80\x99s\nprograms and operations. OA also conducts short-term management reviews and program evaluations on issues\nof concern to SSA, Congress, and the general public.\n                                              Office of Investigations\nOI conducts investigations related to fraud, waste, abuse, and mismanagement in SSA programs and operations.\nThis includes wrongdoing by applicants, beneficiaries, contractors, third parties, or SSA employees performing\ntheir official duties. This office serves as liaison to the Department of Justice on all matters relating to the\ninvestigation of SSA programs and personnel. OI also conducts joint investigations with other Federal, State,\nand local law enforcement agencies.\n                        Office of the Chief Counsel to the Inspector General\nOCCIG provides independent legal advice and counsel to the IG on various matters, including statutes,\nregulations, legislation, and policy directives. OCCIG also advises the IG on investigative procedures and\ntechniques, as well as on legal implications and conclusions to be drawn from audit and investigative material.\nAlso, OCCIG administers the Civil Monetary Penalty program.\n                                        Office of External Relations\nOER manages OIG\xe2\x80\x99s external and public affairs programs, and serves as the principal advisor on news releases\nand in providing information to the various news reporting services. OER develops OIG\xe2\x80\x99s media and public\ninformation policies, directs OIG\xe2\x80\x99s external and public affairs programs, and serves as the primary contact for\nthose seeking information about OIG. OER prepares OIG publications, speeches, and presentations to internal\nand external organizations, and responds to Congressional correspondence.\n                           Office of Technology and Resource Management\nOTRM supports OIG by providing information management and systems security. OTRM also coordinates\nOIG\xe2\x80\x99s budget, procurement, telecommunications, facilities, and human resources. In addition, OTRM is the\nfocal point for OIG\xe2\x80\x99s strategic planning function, and the development and monitoring of performance\nmeasures. In addition, OTRM receives and assigns for action allegations of criminal and administrative\nviolations of Social Security laws, identifies fugitives receiving benefit payments from SSA, and provides\ntechnological assistance to investigations.\n\x0c'